DNS

For privacy reasons, we provide two DNS-Over-TLS resolvers. These are only accessible over port 853. We have no plans to provide DNS over port 53 (plaintext) or port 443 (https).

DNS-Over-TLS Clients

We suggest using either Unbound or Stubby.
Unbound has been independently audited. It is also fast and pretty straightforward to setup.

Unbound Configuration

server:
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
  rrset-roundrobin: yes
forward-zone:
  name: ".",
  forward-tls-upstream: yes
  forward-addr: [email protected]#dns1.nuked.me

Stubby Configuration

dnssec_return_status: GETDNS_EXTENSION_TRUE
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1
  -  0::1
round_robin_upstreams: 1
upstream_recursive_servers:
- address_data: 104.244.72.77
  tls_port: 853
  tls_auth_name: "dns1.nuked.me"

Notes

Depending on how you handle DNS currently, you may need to make other changes.

If you use a static /etc/resolv.conf then you just need to edit the nameserver to point locally, then Unbound handles the rest.

If you use systemd-resolved, you'll need to do the following:

nano /etc/systemd/resolved.conf

Uncomment and edit the first line to this: DNS=127.0.0.1
Then restart systemd-resolved with:

sudo service systemd-resolved restart

To check it's set correctly, run resolvectl dns and that's it!

Regarding Windows, further information at privacytools.io.